Authored by Mr. Nitin Bhatnagar, Associate Director, India, PCI Security Standards Council
Data breaches and cyber-attacks are a global problem and has impacted India as we have seen some high-profile incidents in the news to begin 2021. This is an alarming trend and reiterates that cyber criminals are out there, finding ways to perpetrate your business for illicit gains. This fact makes cybersecurity more important than ever. According to a recent WEF report, businesses need to identify threats and make a plan to implement industry-specific security requirements to better protect their customers payment data (an example of this would be the Payment Card Industry Data Security Standards [PCI DSS] requirements). This past December, the PCI SSC hosted our annual PCI India Forum 2020 where Lt. General (Dr) Rajesh Pant, India's National Cybersecurity Coordinator, also emphasized the importance of adhering to data security standards and recommended businesses to adopt PCI Security Standards to help protect payment data.
According to a Cybersecurity Ventures report, cybercrimes are predicted to grow 15% every year to hit $10.5 trillion by 2025 up from $3 trillion in 2015 which makes it one of the greatest threats to economic success for businesses in almost every country around the world. Raising awareness and education on how to prevent data breaches is a priority for the Council. The PCI SSC is sharing knowledge and fostering greater participation from Indian organizations in the work we do globally to improve payment data security. We are encouraging Indian businesses to help us by joining our community and becoming a Participating Organization with the PCI SSC.
Being Secure
PCI SSC has published 15 unique security standards to help facilitate security across a various range of payment acceptance platforms. The PCI Data Security Standard (PCI DSS) is the most comprehensive and in use standard that provides a baseline of technical and operational requirements designed to protect account data. Other standards developed by the PCI SSC are designed to help merchants, service providers, Issuers and Acquirers facilitate PCI DSS compliance or help vendors develop secure devices, software and provide guidance on securing environments.
For many organizations, the question of what it means to be compliant with the DSS is an important one. For too many organizations, compliance is seen as checking a box during a compliance report and then slipping back into bad security habits once the report is completed. This is a poor approach to addressing the main issue of being secure. Compliance on one given day does not mean 24/7 security. Shifting the mindset from one of compliance to a continuous, risk-based mentality is a critical component of making payment security business-as-usual. The ongoing security of cardholder data should be the main objective behind all PCI DSS compliance activities.
The result of failing to maintain proper security can be catastrophic to a business. Failing to maintain compliance at all times could leave organizations more susceptible to security control failures, malicious attack, or accidental information leakage.
In order to address these compliance challenges, the PCI SSC developed a resource to help assist in addressing some main compliance challenges. The Information Supplement: Best Practices for Maintaining PCI DSS Compliance provides practical recommendations for dealing with some of the key challenges in maintaining compliance and offers solutions to help organizations avoid the pitfalls of compliance fall-off. Using this guidance as a resource, merchants, service providers and other organizations can better understand how to plan for and maintain a state of continuous compliance. This information supplement includes the following:
Education is Key
The payments industry in India faces the challenge of businesses adopting new and emerging technologies without fully considering security implications post-implementation. Proper cybersecurity training is critical to combat the increasing threat of cyberattacks on businesses. Now more than ever, we must do all we can to protect our business's data. This starts with having the right qualifications, such as the Payment Card Industry Professional (PCIP) qualification. By ensuring your employees are trained in the most up to date techniques, you are providing your business with a better chance to help combat cybercrime.
A 2019 survey of business leaders in India has revealed that almost half of the respondents who experienced a security breach said there was a reputational impact on their business. It’s clear that all business stakeholders—from investors to customers—value strong data security and lose trust in businesses that don’t take it seriously. Companies that consider securing their consumers’ payment data a primary goal will have the opportunity to strengthen the trust in their business, a key ingredient to success and continued growth throughout 2021.
